discourse/spec/models/user_api_key_spec.rb

# frozen_string_literal: true

RSpec.describe UserApiKey do
  describe "#allow?" do
    def request_env(method, path, **path_parameters)
      ActionDispatch::TestRequest
        .create
        .tap do |request|
          request.request_method = method
          request.path = path
          request.path_parameters = path_parameters
        end
        .env
    end

    it "can look up permissions correctly" do
      key =
        UserApiKey.new(
          scopes: %w[message_bus notifications].map { |name| UserApiKeyScope.new(name: name) },
        )

      expect(key.allow?(request_env("GET", "/random"))).to eq(false)
      expect(key.allow?(request_env("POST", "/message-bus/1234/poll"))).to eq(true)

      expect(
        key.allow?(request_env("PUT", "/xyz", controller: "notifications", action: "mark_read")),
      ).to eq(true)

      expect(
        key.allow?(request_env("POST", "/xyz", controller: "user_api_keys", action: "revoke")),
      ).to eq(true)
    end

    it "can allow all correct scopes to write" do
      key = UserApiKey.new(scopes: ["write"].map { |name| UserApiKeyScope.new(name: name) })

      expect(key.allow?(request_env("GET", "/random"))).to eq(true)
      expect(key.allow?(request_env("PUT", "/random"))).to eq(true)
      expect(key.allow?(request_env("PATCH", "/random"))).to eq(true)
      expect(key.allow?(request_env("DELETE", "/random"))).to eq(true)
      expect(key.allow?(request_env("POST", "/random"))).to eq(true)
    end

    it "can allow blanket read" do
      key = UserApiKey.new(scopes: ["read"].map { |name| UserApiKeyScope.new(name: name) })

      expect(key.allow?(request_env("GET", "/random"))).to eq(true)
      expect(key.allow?(request_env("PUT", "/random"))).to eq(false)
    end
  end
end
DEV: use #frozen_string_literal: true on all spec This change both speeds up specs (less strings to allocate) and helps catch cases where methods in Discourse are mutating inputs. Overall we will be migrating everything to use #frozen_string_literal: true it will take a while, but this is the first and safest move in this direction 2019-04-29 20:27:42 -04:00			`# frozen_string_literal: true`

Add RSpec 4 compatibility (#17652) * Remove outdated option https://github.com/rspec/rspec-core/commit/04078317ba6577699d06cf4dccf014254dcde7a6 * Use the non-globally exposed RSpec syntax https://github.com/rspec/rspec-core/pull/2803 * Use the non-globally exposed RSpec syntax, cont https://github.com/rspec/rspec-core/pull/2803 * Comply to strict predicate matchers See: - https://github.com/rspec/rspec-expectations/pull/1195 - https://github.com/rspec/rspec-expectations/pull/1196 - https://github.com/rspec/rspec-expectations/pull/1277 2022-07-27 22:27:38 -04:00			`RSpec.describe UserApiKey do`
DEV: Use `describe` for methods in specs 2022-07-27 06:21:10 -04:00			`describe "#allow?" do`
REFACTOR: Introduce RouteMatcher class This consolidates logic used to match routes in ApiKey, UserApiKey and DefaultCurrentUserProvider. This reduces duplicated logic, and will allow UserApiKeysScope to easily re-use the parameter matching logic from ApiKeyScope 2020-10-06 12:20:15 -04:00			`def request_env(method, path, **path_parameters)`
			`ActionDispatch::TestRequest`
			`.create`
			`.tap do \|request\|`
			`request.request_method = method`
			`request.path = path`
			`request.path_parameters = path_parameters`
			`end`
			`.env`
			`end`

FEATURE: user API now contains scopes so permission is granular previously we supported blanket read and write for user API, this change amends it so we can define more limited scopes. A scope only covers a few routes. You can not grant access to part of the site and leave a large amount of the information hidden to API consumer. 2016-10-14 01:05:27 -04:00			`it "can look up permissions correctly" do`
DEV: Move UserApiKey scopes to dedicated table (#10704) This has no functional impact yet, but it is the first step in adding more granular scopes to UserApiKeys 2020-09-29 05:57:48 -04:00			`key =`
			`UserApiKey.new(`
			`scopes: %w[message_bus notifications].map { \|name\| UserApiKeyScope.new(name: name) },`
			`)`
FEATURE: user API now contains scopes so permission is granular previously we supported blanket read and write for user API, this change amends it so we can define more limited scopes. A scope only covers a few routes. You can not grant access to part of the site and leave a large amount of the information hidden to API consumer. 2016-10-14 01:05:27 -04:00
REFACTOR: Introduce RouteMatcher class This consolidates logic used to match routes in ApiKey, UserApiKey and DefaultCurrentUserProvider. This reduces duplicated logic, and will allow UserApiKeysScope to easily re-use the parameter matching logic from ApiKeyScope 2020-10-06 12:20:15 -04:00			`expect(key.allow?(request_env("GET", "/random"))).to eq(false)`
			`expect(key.allow?(request_env("POST", "/message-bus/1234/poll"))).to eq(true)`
FEATURE: user API now contains scopes so permission is granular previously we supported blanket read and write for user API, this change amends it so we can define more limited scopes. A scope only covers a few routes. You can not grant access to part of the site and leave a large amount of the information hidden to API consumer. 2016-10-14 01:05:27 -04:00
REFACTOR: Introduce RouteMatcher class This consolidates logic used to match routes in ApiKey, UserApiKey and DefaultCurrentUserProvider. This reduces duplicated logic, and will allow UserApiKeysScope to easily re-use the parameter matching logic from ApiKeyScope 2020-10-06 12:20:15 -04:00			`expect(`
			`key.allow?(request_env("PUT", "/xyz", controller: "notifications", action: "mark_read")),`
			`).to eq(true)`
FEATURE: user API now contains scopes so permission is granular previously we supported blanket read and write for user API, this change amends it so we can define more limited scopes. A scope only covers a few routes. You can not grant access to part of the site and leave a large amount of the information hidden to API consumer. 2016-10-14 01:05:27 -04:00
REFACTOR: Introduce RouteMatcher class This consolidates logic used to match routes in ApiKey, UserApiKey and DefaultCurrentUserProvider. This reduces duplicated logic, and will allow UserApiKeysScope to easily re-use the parameter matching logic from ApiKeyScope 2020-10-06 12:20:15 -04:00			`expect(`
			`key.allow?(request_env("POST", "/xyz", controller: "user_api_keys", action: "revoke")),`
			`).to eq(true)`
FEATURE: user API now contains scopes so permission is granular previously we supported blanket read and write for user API, this change amends it so we can define more limited scopes. A scope only covers a few routes. You can not grant access to part of the site and leave a large amount of the information hidden to API consumer. 2016-10-14 01:05:27 -04:00			`end`

FIX: add support for missing verbs in user api key Previously "write" scope was missing put and delete verbs which should be allowed. Also closes: #6982 2019-02-12 23:49:25 -05:00			`it "can allow all correct scopes to write" do`
DEV: Move UserApiKey scopes to dedicated table (#10704) This has no functional impact yet, but it is the first step in adding more granular scopes to UserApiKeys 2020-09-29 05:57:48 -04:00			`key = UserApiKey.new(scopes: ["write"].map { \|name\| UserApiKeyScope.new(name: name) })`
FIX: add support for missing verbs in user api key Previously "write" scope was missing put and delete verbs which should be allowed. Also closes: #6982 2019-02-12 23:49:25 -05:00
REFACTOR: Introduce RouteMatcher class This consolidates logic used to match routes in ApiKey, UserApiKey and DefaultCurrentUserProvider. This reduces duplicated logic, and will allow UserApiKeysScope to easily re-use the parameter matching logic from ApiKeyScope 2020-10-06 12:20:15 -04:00			`expect(key.allow?(request_env("GET", "/random"))).to eq(true)`
			`expect(key.allow?(request_env("PUT", "/random"))).to eq(true)`
			`expect(key.allow?(request_env("PATCH", "/random"))).to eq(true)`
			`expect(key.allow?(request_env("DELETE", "/random"))).to eq(true)`
			`expect(key.allow?(request_env("POST", "/random"))).to eq(true)`
FIX: add support for missing verbs in user api key Previously "write" scope was missing put and delete verbs which should be allowed. Also closes: #6982 2019-02-12 23:49:25 -05:00			`end`

FEATURE: user API now contains scopes so permission is granular previously we supported blanket read and write for user API, this change amends it so we can define more limited scopes. A scope only covers a few routes. You can not grant access to part of the site and leave a large amount of the information hidden to API consumer. 2016-10-14 01:05:27 -04:00			`it "can allow blanket read" do`
DEV: Move UserApiKey scopes to dedicated table (#10704) This has no functional impact yet, but it is the first step in adding more granular scopes to UserApiKeys 2020-09-29 05:57:48 -04:00			`key = UserApiKey.new(scopes: ["read"].map { \|name\| UserApiKeyScope.new(name: name) })`
FEATURE: user API now contains scopes so permission is granular previously we supported blanket read and write for user API, this change amends it so we can define more limited scopes. A scope only covers a few routes. You can not grant access to part of the site and leave a large amount of the information hidden to API consumer. 2016-10-14 01:05:27 -04:00
REFACTOR: Introduce RouteMatcher class This consolidates logic used to match routes in ApiKey, UserApiKey and DefaultCurrentUserProvider. This reduces duplicated logic, and will allow UserApiKeysScope to easily re-use the parameter matching logic from ApiKeyScope 2020-10-06 12:20:15 -04:00			`expect(key.allow?(request_env("GET", "/random"))).to eq(true)`
			`expect(key.allow?(request_env("PUT", "/random"))).to eq(false)`
FEATURE: user API now contains scopes so permission is granular previously we supported blanket read and write for user API, this change amends it so we can define more limited scopes. A scope only covers a few routes. You can not grant access to part of the site and leave a large amount of the information hidden to API consumer. 2016-10-14 01:05:27 -04:00			`end`
			`end`
			`end`